2020Looking Back on 2020’s Top Privacy and Cybersecurity Trends

Looking Back on 2020’s Top Privacy and Cybersecurity Trends

As 2020 comes to a close, Beckage looks back on the ways this difficult and unprecedented year impacted the data privacy and cybersecurity landscape both domestically and across the globe.

Enhanced Privacy Challenges and Concerns Due to Covid-19

In response to the COVID-19 pandemic, businesses around the globe made a major pivot to online or virtual operations early this year. An intentional focus on data protection and a solid understanding of the regulatory landscape is a legal requirement that demands the integration of data protection up front in any network design or business practice. The increase in exposure of company assets made it necessary to implement a variety of technical safeguards. Companies still had to meet the compliance milestones of the NY SHIELD Act and California’s Consumer Protection Act (CCPA) while dealing with new privacy challenges caused by a distributed workforce and a global health pandemic. Beckage reminds organizations of the importance of revisiting their readiness through business continuity, incident response, and more expansive administrative, technical, and physical safeguards when shifting to a work-from-home model and recommends continued assessment of your company’s privacy pitfalls in this ever-shifting legal landscape.

Increased Ransomware and Cyberattacks

With rapid changes in organizational operations caused by the COVID-19 pandemic, attackers became more sophisticated in their strategies and unleashed several unrelenting, simultaneous attacks on service providers and the organizations they serve in 2020. Victims of recent cyber attacks, such as the SolarWinds campaign carried out in December, include government agencies, healthcare providers, consulting agencies, and , technology, telecom, and oil and gas companies. In many of these campaigns, attackers were able to gain access and move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources while remaining largely undetected. In response to the uptick in data incidents this year, the Beckage Incident Response Team recommends organizations implement several preventative steps to safeguard their organization to help minimize legal risk.

Patient Access Rights and Interoperability

Recent developments in 2020 concerning patients’ right to access health information to implement interoperability and record access requirements intend to help patients obtain access to health records and payment data to make informed decisions about their healthcare. The CMS Proposed Rule and the OCR Proposed Rule represent a complete overhaul of well-established standards and an introduction of new and highly technical requirements with healthcare compliance. The experienced Health Law Team at Beckage can help to distill these lengthy and complicated rules so organizations can understand practical implications on daily operations.

Increased International Focus on Consumer Privacy

On the heels of EU’s General Data Protection Regulation (GDPR), many countries followed suit by establishing legal frameworks for governing how organizations collect, use, and store their citizens’ personal data. One example is Brazil’s Lei Geral de Proteção de Dados (LGPD), which went into effect in August of 2020. This general data protection law, which closely mimics the GDPR, places strict requirements on organizations that process Brazilian citizen’s personal data.

At the same time, Europe continued to elevate its enforcement of the GDPR, with major decisions from various member state Data Protection Authorities, the European Court of Justice (ECJ), and the European Data Protection Board (EDBP). The most impactful for businesses across the globe was the ECJ’s decision in Schrems II, which invalidated the EU-US Privacy Shield and called into question the long-term viability of the Standard Contractual Clauses (SCCs) to transfer data from the EU to the US. In 2021, companies should closely monitor the evolving guidance on international data transfers and be prepared to mitigate risk of global data transfers.

Beckage’s Global Data Privacy Team expects continued adoption of data protection regulations across many regions, and an emphasis on creating global security and privacy compliance programs in the year ahead.

Uptick in ADA Litigation

This past year, the Beckage Accessibility Team has witnessed a drastic increase in litigation under Title III of the Americans with Disabilities Act. On average, about eight new lawsuits are filed a day by disabled individuals alleging unequal access to goods and services provided on a company’s digital platforms. While the Department of Justice (DOJ) has consistently held that the ADA applies to websites and mobile apps, they have failed to clarify the precise requirements for a business to be deemed compliant. This has prompted a wave of litigation by plaintiffs’ who claim a website or mobile app’s incompatibility with assistive technology, like screen-reading software, has denied them full access to and equal enjoyment of the goods, services, and accommodations of the website, therefore violating the ADA. Most of these lawsuits are settled quickly out of court to avoid litigating in such uncertain legal terrain.

Beckage handles the defense of website accessibility lawsuits as well as assists companies in navigate pre and post-suit settlement agreements for this unique area of the law.  Beckage also works with clients under privilege to conduct internal and remedial audits of client websites and mobile applications, evaluate platform compatibility and oversee implementation of recommended remedial or accessibility-enhancement measures.

California Consumer Protection Act (CCPA)  

Enforcement of California’s comprehensive California Consumer Privacy Act (CCPA) began on July 1, 2020 and has brought a range of plaintiff related lawsuits under its private right of action provision expanding California breach laws. For a data breach to be actionable, the information accessed must be identified as personal information, as narrowly defined by California’s data breach notification law. Recently, in November 2020, the Consumer Right To Privacy Act (CRPA) ballot initiative was passed, creating additional privacy rights and obligations pertaining to sensitive personal information that will go into effect. CPRA also expands data breach liability created by the CCPA, adds a private right of action for unauthorized access that permits access to an account if the business failed to maintain reasonable security, and imposes data protection obligations directly on service providers, contractors, and third parties. Beckage urges businesses who operate in or serve California citizens to continue to follow CCPA developments and carefully monitor related litigation in the coming months.

Emerging Technologies

The recent expansion of the Illinois Biometric Information Privacy Act (BIPA) has resulted in numerous class actions suits against organizations alleged to have collected plaintiffs’ biometric data. With the expanding use of biometric equipment, these claims often allege defendants obtained plaintiffs’ biometric data without complying with the BIPA’s notification and consent requirements. Upcoming class suits may address the issue of BIPA having an extraterritorial effect when bringing claims against out of state vendors.

Similarly, computers that manipulate the media, known as deep fakes, advance the dangers of influenced perceptions. The advancements of deep fakes are giving rise to laws regarding defamation, trade libel, false light, violation of right of publicity, or intentional infliction of emotional distress. Sophisticated tech lawyers can assist in determining rights and technological solutions to mitigate harm. As former tech business owners, Beckage lawyers want to drive innovation with use of these new and emerging technologies while understanding standards and laws that may impact such development. Beckage recommends that companies proactively mitigate the risks associated with collecting biometric information and deep fakes to prevent legal repercussions and defamation. 

Key Takeaways

2020 proved to be an unpredictable year in more ways than one. The COVID-19 pandemic forced companies to rapidly adapt to new privacy and data security challenges caused by a distributed workforce, emerging technologies, and an increased focus on ecommerce with in-person shopping and events. As we move towards 2021 with no definitive end to the pandemic in sight, it is crucial for companies to prioritize data privacy and cybersecurity initiatives by consulting qualified legal tech experts who can help navigate the uncertainty next year will bring. Beckage attorneys can assist in creating, implementing, and evaluating robust data security and privacy infrastructures that will help put your business in a position to tackle all the challenges 2021 has in store.

*Attorney Advertising. Prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Canada PrivacyCanada’s New Privacy Bill Aims to Strengthen Privacy Rights for Citizens

Canada’s New Privacy Bill Aims to Strengthen Privacy Rights for Citizens

On November 17, 2020, the Canadian Minister of Innovation, Science, and Industry introduced a new federal privacy bill that would reshape Canada’s privacy framework with a main goal of strengthening interoperability with both the European Union and the United States. Bill C-11 proposes the Digital Charter Implementation Act, 2020 which includes the Consumer Privacy Protection Act. This legislation would significantly increase protection of Canadian personal information by enhancing Canadian control over data and demanding more transparency from companies as to their handling of personal information. The Digital Charter Implementation Act includes:

  1. Increased control and transparency of Canadian personal identifiable information being handled by companies,
  2. Ability for Canadians to move information from one organization to another in a secure manner,
  3. Right for Canadians to destroy their information,
  4. Ability of the Privacy Commissioner to force an organization to comply and order businesses and corporations to stop collecting data or using personal information, and
  5. Strongest fine among G7 privacy laws.

Penalties and Provisions

There are significant fines for noncompliant businesses – up to 5% of revenue or a sum of Can$25 million, whichever is higher. The bill would also modernize the Consumer Privacy Protection Act (CPPA) to protect an individual’s personal information while regulating organizations collection, use, and disclosure of personal information. The CPPA would also further consent requirements for handling personal information, create transparency requirements with respect to algorithms and artificial intelligence (AI), mobility of personal data, retention and disposal of personal information, and codifies legitimate interests where consent is not required. The CPPA updates the Personal Information Protection and Electronic Documents Act, which governed how private sector organizations collect, use, and disclose personal information in commercial business.

Part of Bill C-11 also introduces the Personal Information and Privacy Protection Tribunal Act (PIPPTA). The PIPPTA was established to create an accelerated and more direct path to enforcement of orders from the Office of the Private Commissioner to meet its expanded role and provide strong enforcement. The PIPPTA also includes a private right of action, allowing individuals to sue where the commissioner issues a finding of a privacy violation and it will be upheld by the Tribunal. However, all cases must be brought up within two years of the violation.

Impact

Canada’s proposed federal privacy bill follows the lead of the European Union’s General Data Protection Regulation and the United States’ California Consumer Privacy Act. Canada’s privacy bill was created to impose obligations on any business that collects Canadian personal data. Businesses and companies that fail to comply will be subject to the penalties outlined above. If Bill C-11 is passed, US businesses that collect and/or process the personal data of Canadians will have to enact procedures that comply with the Consumer Privacy Protection Act and other requirements in the bill. As with any new piece of data legislation, it crucial that companies potentially impacted perform a thorough review of their forward-facing privacy practices as well as update their internal procedures to address any new compliance requirements.

At Beckage, we have a team of Global Data Privacy Attorneys that continue to monitor the constantly evolving data privacy and cybersecurity legislation landscape. The Beckage team is made up of technologists and Certified Information Privacy Professionals (CIPP/US & CIPP/E) who can help develop and review new and existing privacy policies compliant with Bill C-11 and other international legislation to help protect your business.

*Attorney Advertising. Prior results do not guarantee similar outcomes.

Subscribe to our Newsletter.

EU Data TransfersThe EU Continues to Weigh In on Cross-Border Data Transfers

The EU Continues to Weigh In on Cross-Border Data Transfers

In the past month, the European Data Protection Board (EDPB) has provided insight into its interpretation of the Schrems II decision by the EU Court of Justice (ECJ) in July 2020.  In Schrems II, the ECJ invalidated the EU-US Privacy Shield, the mechanism allowing for the lawful transfer of personal data from the EU to the US.  The ECJ did uphold the continued use of Standard Contractual Clauses (SCCs) as a mechanism to continue to transfer personal data outside of the European Union (EU), but with a caveat;  

“In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.”

Where the ECJ decision failed to provide sufficient supplementary measures to permit companies’ use of the SCCs in international data transfers, the EDPB released Recommendations 01/2020 (“Recommendations”) intended to provide a framework to address, or at least attempt to understand, the vague “supplementary measures” envisioned by the ECJ.  These Recommendations are open for public comment until December 21, 2020.

These Recommendations, the ultimate goal of which is to determine if the protections provided by a non-EU country are “essentially equivalent” to those provided within the EU, include six key factors:

Measures that supplement transfer tools to ensure compliance with EU level of persona ldata protection.
  1. Know Your Transfers

The first thing a company needs to ask is whether they transfer data internationally.  To answer that question, it is helpful to start with data mapping.  Data mapping helps identify what data companies have, why they have it, and what they are using it for.  In the cross-border data transfer context, it is also important to understand if you are exporting or importing data and what parties you are sending it to and/or receiving it from.  A data map can help you to determine the true risks created by cross-border data transfers.

2. Verify Your Transfer Tool

This factor relies heavily on the valid mechanisms to transfer data under Chapter V of the GDPR.  For example, if the EU Commission has already approved a receiving country under an adequacy decision, then personal data can be transferred lawfully. Alternatively, companies can rely on the SCCs, Binding Corporate Rules, or other mechanisms allowed for under the GDPR.

The SCCs are also subject to revision, with the European Commission releasing revisions on November 10, 2020 for comment.  The SCCs remain valid but are now a user-beware proposition with parties subject to the SCCs clearly required to demonstrate that the protections provided adequately meet the EU data protection requirements.

As such, this step requires companies to delve into the current mechanisms used to transfer data (after mapping those data transfers in step 1) and then identifying the best mechanism to legally conduct the transfer.

3. Assessing the Law of the Receiving Country

When reviewing the intended country receiving the personal data, it is key that a company assess whether the privacy and security measures are adequate to address any concerns.  The Recommendations emphasize that the review “should be primarily focused on third country legislation that is relevant to your transfer.”  This is an important scoping reference; there are many laws that may not align with EU data protection requirements, but the key is whether those laws would impact your transfer.

For example, in response to Schrems II, the Department of Justice, Department of Commerce and the Office of the Director of National Intelligence jointly prepared a white paper entitled, Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (the “White Paper”).  The White Paper made clear that certain legislation in the US that Schrems II took issue with, specifically Executive Order 12333 (“EO 12333”), and (2) Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”), would not apply to most companies transferring data to the US.  As such, under the Recommendations, these laws would not be considered when assessing the receiving country’s laws.

4. Identify and Adopt Supplemental Measures

The Recommendations state that “[t]his step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer.”  Annex 2 of the Recommendations lays out scenarios with corresponding supplemental measures that may be used to alleviate the privacy and legal risks associated with the continued transfer of the personal data.

Ultimately, each data transfer is analyzed, and the appropriate supplementary measures are assessed on a case-by-case basis.  This ties into the first factor, data mapping. Without a deeper understanding of where the data is going, and what is happening to the data once transferred, it is challenging to even start to identify the appropriate supplemental measures.  It is the combination of the appropriate legal transfer tool plus the supplemental measures that allow the transfer to move forward.

5. Formal Procedural Steps

Once a path forward is determined, the companies transferring the personal data must execute formal documentation of such transfer and comply with the requirements of the chosen transfer tool.

6. Accountability

A key component of all data protection requirements under the GDPR is documentation and accountability.  The Recommendations make clear that accountability requires active participation by all parties involved in the transfer:

“The right to data protection has an active nature.  It requires exporters and importers (whether they are controllers and/or processors) to go beyond an acknowledgement or passive compliance with this right.”

A “set it and forget it” approach is not permissible: the company must continue to monitor legal and regulatory developments in the recipient country to continue to confirm that the legal tool used to transfer the personal data and the supplementary measures remain valid.

Recommended Next Steps

While the Recommendations are still under consideration, they do point to a need for deeper analysis of both your data flows and the reason for those data transfers.  For many companies, the inclusion of SCCs to all agreements has become routine.  But, those agreements, and the legal tool to transfer data under those agreements, need to be addressed on a case-by-case basis, with an understanding of the legal requirements and the corresponding risks.

Beckage’s Global Data Privacy Team works with clients to assess their current infrastructure to further evaluate bases for international data transfers, including the use of DPAs, SCCs and on the development of Binding Corporate Rules.  Team Beckage includes Certified Information Privacy Professionals (CIPP/US) and (CIPP/E) and Certified Information Privacy Managers (CIPM) as certified by the International Association of Privacy Professionals as well as attorneys with substantial experience navigating the ever-changing international privacy landscape.  

Watch the full video blog.

*Attorney advertising.  Prior results do not guarantee future outcomes.

Subscribe to the Beckage Newsletter.

BrazilBrazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s General Data Protection law that creates a legal framework for the use of personal data that is processed or related to individuals in Brazil. The LGPD is largely aligned with the EU’s General Data Protection Regulation (GDPR), one of the  toughest privacy and security laws in the world that imposes obligations on organizations that target and collect data from subjects in the EU. Similarly, the LGPD is a comprehensive approach to personal data protection for individuals in Brazil. The LGPD goes into effect on August 16, 2020.

Does the LGPD Apply to My Business?

The LGPD applies to any business, regardless of its location in the world, that processes personal data of the people of Brazil, personal data collected in Brazil, and personal data associated with the offering of goods or services in Brazil. Personal data is broadly defined by the LGPD to include any information related to an identified or identifiable natural person. Personal data can include names, identification numbers, online identifiers and locators, or can extend to psychological, mental, or economic facts. Anonymized data is not considered personal data. Similar to the GDPR, an organization must have a valid basis for processing personal data under the LGPD. The LGPD also grants Brazilian residents a number of rights over their personal data including access to personal data, deletion of personal data processed with consent, and access to information about entities with whom the organization has shared the individual’s personal data.

There are a few exceptions to the LGPD, namely:

1. Data processed by a person strictly for personal reasons,

2. Data processed exclusively for journalistic, artistic, literary, or academic purposes, and

3. Data exclusively processed for national security, national defense, public safety, a criminal investigation, etc.

Other fundamental rights under the LGPD include:

• Right to confirmation of the existence of the processing

• Right to correct incomplete, inaccurate, or out-of-date data

• Right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD

• Right to the portability of data to another service or product provider, by means of an express request

• Right to information about possibility of denying consent and consequences of such denial, and

• Right to revoke consent.

Similar to what we have seen under other privacy paradigms such as the GDPR, CCPA and NY Shield Act, the LGPD requires controllers and processors to adopt technical and administrative security measures to protect personal data from unauthorized access. Organizations, in most cases, must appoint a data protection officer responsible for receiving complaints and communications. Additionally, organizations are responsible to report data breaches to the Brazilian authorities and notify the data subject in a “reasonable amount of time” if the breach is likely of risk or harm. If necessary, the National Data Protection Authority can order the controller to adopt privacy protection measures to mitigate the effects of the incident.

The LGPD is not as punitive as the GDPR in sentiment and financial penalties. The LGPD establishes fines of up to 2% of a company’s sales revenue of up to 50 million Brazilian Real, equaling $12,894,500 USD, or 11.2 million Euros. This is compared to the GDPR’s 4% of revenue, up to 20 million Euros per violation.

Brazil’s newly implemented law, reminiscent of the GDPR, requires compliance with strict requirements related to the processing of personal data. Beckage’s team of highly experienced attorneys can work with your business to evaluate whether, and to what extent, privacy laws such as the LGPD, GDPR, CCPA and NY Shield Act apply. Understanding what data your business is collecting, how it is being processed, and with whom that data is being shared are just some of the critical questions that need to be explored with counsel.  Our Beckage team can help you align with the LGPD’s business requirements while implementing controls and mitigating risk.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.